This how-to guide provides the very fundamental configuration to get a (Brother) IPP network printer working in Qubes OS.
What is IPP Everywhere™ (driverless printing) and why should I pick a IPP printer?
What printer supports IPP?
For the ease of use and to avoid typing errors, I do not put all command in dom0 to benefit from copy & paste some code lines directly to the templateVM and appVM. To keep things minimal and avoid messing up your default templates, we are going to use a Debian minimal template as a baseline (the ‘deb-12-m-printer’ will be a clone of it).
There are additional printer features to discover (i.e. IPPS encrypted printing) and more Qubes OS configuration you can do (i.e. disposable printer qube). Feel free to extend this guide with additional configuration options. 
This guide has been made with following software and hardware:
Software:
Qubes OS 4.2.2
Debian 12 (debian-12-minimal)
cups 2.4.2
Hardware:
Brother-HL-L2375DW with ‘Generic IPP Everywhere Printer [en] recommended’ printer driver (available in cups package)
…
With a very high probability, it should also work with newer versions and other IPP-compliant hardware. Feel free to add additional printers and update new software versions if you have successfully configured your printer based on this guide.
1. Set printer IP
Login to your router admin console and set a fix IP address for your printer. (i.e. 192.168.178.1) Restart your printer and verify that the IP is properly set and it is accessible within your local network (send pings, open the browser web-interface etc.).
2. Create printer qubes
Open a dom0 terminal (and keep it open):
dxy=$(qvm-template list --available | grep -Eo "debian.*minimal" | tail -n 1 | grep -Eo "[0-9]+")
src="debian-${dxy}-minimal"
tpl="deb-${dxy}-m-printer"
app="printer"
qvm-template install ${src}
qvm-clone ${src} ${tpl}
qvm-create ${app} --template ${tpl} --label red
3. Install printer software packages
open the deb- * -m-printer (template) terminal from the dom0 terminal:
qvm-run --pass-io --user root ${tpl} xterm
afterwards, in the deb- * -m-printer terminal:
You can copy & paste these code lines into the xterm terminal by:
- copy the line (select, ctrl+c)
- copy to Qubes OS clipboard (shift+ctrl+c)
- paste from Qubes OS clipboard to xterm (shift+ctrl+v)
- paste from xterm clipboard (middle mouse click)
apt update && apt upgrade --yes
apt install --no-install-recommends qubes-core-agent-passwordless-root qubes-core-agent-networking qubes-core-agent-nautilus qubes-pdf-converter qubes-img-converter qubes-app-shutdown-idle cups system-config-printer nautilus evince eog xfce4-notifyd dunst pdftk --yes
exit
back to dom0 terminal:
qvm-shutdown ${tpl}
qvm-service ${app} cups on
If you are using a VPN
You must ensure that you have access to your local (printer) network either by routing your ‘printer’ qube to a separate (local) network qube or by a VPN split tunnel configuration.
qvm-prefs ${app} netvm <sys-firewall-local-network>
4. Make cups file persistent (bind-dirs)
open the printer (appVM) terminal from the dom0 terminal:
qvm-run --pass-io --user user ${app} xterm
afterwards, in the printer terminal:
You can copy & paste these code lines into the xterm terminal by:
- copy the line (select, ctrl+c)
- copy to Qubes OS clipboard (shift+ctrl+c)
- paste from Qubes OS clipboard to xterm (shift+ctrl+v)
- paste from xterm clipboard (middle mouse click)
sudo mkdir --parents /rw/config/qubes-bind-dirs.d
sudo mkdir --parents /rw/bind-dirs/etc/cups/
sudo cp --recursive /etc/cups/* /rw/bind-dirs/etc/cups/
echo binds+=\( \'/etc/cups/\' \) | sudo tee /rw/config/qubes-bind-dirs.d/50_user.conf
exit
back to dom0 terminal:
qvm-shutdown ${app}
5. Add and configure printer
open the printer (appVM) terminal from the dom0 terminal:
qvm-run --pass-io --user user ${app} xterm
afterwards, in the printer terminal:
printer_name="Brother-HL-L2375DW" # modify to your configuration!
printer_IP="192.168.178.1" # modify to your configuration!
Verify printer connection
ping -c 1 -q ${printer_IP}
pinging was successfully
--- 192.168.178.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
ping test failed 
--- 192.168.178.1 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
Please double check that your printer is switched on, printer has a fix IP address and the printer appVM qube has the proper netvm defined (to access your local network; see qube Settings).
sudo usermod -aG lpadmin user
sudo systemctl restart cups.service
Verify cups is running
systemctl status cups
All status should show active (running), enabled etc.
If an error or failure is displayed check the printer appVM qube Settings: Tab ‘Services’. Cups should be listed and checked.
sudo lpadmin -p ${printer_name} -E -v ipp://${printer_IP}/ipp/print -m everywhere
back to dom0 terminal:
qvm-shutdown ${app}
Finally, go to the ‘printer’ qube ‘Settings’, to the ‘Applications’ tab and add:
- Document Viewer
- Files
- Image Viewer
- Printer Settings
Back to the Q-menu: printer qube and launch Printer Settings
You should see your printer (icon and printer name), right-click on it, make your final configurations (page size / format, dpi …) and run a test page.
Happy IPP printing 
6. Printer, Qubes OS, IPP options
'Printer harding'
Limit the printer appVM to access the printer device only.
app="printer"
printer_IP="192.168.178.1" # modify to your configuration!
qvm-firewall ${app} del accept
qvm-firewall ${app} add accept dsthost=${printer_IP}
qvm-firewall ${app} add accept specialtarget=dns
qvm-firewall ${app} add accept proto=icmp
qvm-firewall ${app} add drop
Verify that printing works as before.
Perform i.e. a ping test to verify the new printer firewall configuration.